From 9074d9859e44390ee1deec2c27cef6c9780b0c8c Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 10 Dec 2016 17:08:42 +0100 Subject: [PATCH] linux: add patch to fix CVE-2016-8655 See https://lwn.net/Articles/708319/ for more information. --- pkgs/os-specific/linux/kernel/patches.nix | 10 ++++++++- pkgs/top-level/all-packages.nix | 26 +++++++++++++++++++---- 2 files changed, 31 insertions(+), 5 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 3fab12b64a6..66f03edbdf2 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -149,6 +149,14 @@ rec { url = "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git" + "/patch/drivers/lguest/x86/core.c?id=cdd77e87eae52"; sha256 = "04xlx6al10cw039av6jkby7gx64zayj8m1k9iza40sw0fydcfqhc"; + }; + }; + + packet_fix_race_condition_CVE_2016_8655 = + { name = "packet_fix_race_condition_CVE_2016_8655.patch"; + patch = fetchpatch { + url = "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=84ac7260236a49c79eede91617700174c2c19b0c"; + sha256 = "19viqjjgq8j8jiz5yhgmzwhqvhwv175q645qdazd1k69d25nv2ki"; + }; }; - }; } diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 1959cbe4645..07b5f4d021a 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -10927,6 +10927,7 @@ in linux_mptcp = callPackage ../os-specific/linux/kernel/linux-mptcp.nix { kernelPatches = [ kernelPatches.bridge_stp_helper + kernelPatches.packet_fix_race_condition_CVE_2016_8655 ] ++ lib.optionals ((platform.kernelArch or null) == "mips") [ kernelPatches.mips_fpureg_emu @@ -10936,11 +10937,18 @@ in }; linux_rpi = callPackage ../os-specific/linux/kernel/linux-rpi.nix { - kernelPatches = [ kernelPatches.bridge_stp_helper ]; + kernelPatches = with kernelPatches; [ + bridge_stp_helper + packet_fix_race_condition_CVE_2016_8655 + ]; }; linux_3_10 = callPackage ../os-specific/linux/kernel/linux-3.10.nix { - kernelPatches = with kernelPatches; [ bridge_stp_helper lguest_entry-linkage ] + kernelPatches = with kernelPatches; + [ bridge_stp_helper + lguest_entry-linkage + packet_fix_race_condition_CVE_2016_8655 + ] ++ lib.optionals ((platform.kernelArch or null) == "mips") [ kernelPatches.mips_fpureg_emu kernelPatches.mips_fpu_sigill @@ -10949,7 +10957,11 @@ in }; linux_3_12 = callPackage ../os-specific/linux/kernel/linux-3.12.nix { - kernelPatches = with kernelPatches; [ bridge_stp_helper crc_regression ] + kernelPatches = with kernelPatches; + [ bridge_stp_helper + crc_regression + packet_fix_race_condition_CVE_2016_8655 + ] ++ lib.optionals ((platform.kernelArch or null) == "mips") [ kernelPatches.mips_fpureg_emu kernelPatches.mips_fpu_sigill @@ -10958,7 +10970,10 @@ in }; linux_3_18 = callPackage ../os-specific/linux/kernel/linux-3.18.nix { - kernelPatches = [ kernelPatches.bridge_stp_helper ] + kernelPatches = + [ kernelPatches.bridge_stp_helper + kernelPatches.packet_fix_race_condition_CVE_2016_8655 + ] ++ lib.optionals ((platform.kernelArch or null) == "mips") [ kernelPatches.mips_fpureg_emu kernelPatches.mips_fpu_sigill @@ -10969,6 +10984,7 @@ in linux_4_1 = callPackage ../os-specific/linux/kernel/linux-4.1.nix { kernelPatches = [ kernelPatches.bridge_stp_helper + kernelPatches.packet_fix_race_condition_CVE_2016_8655 ] ++ lib.optionals ((platform.kernelArch or null) == "mips") [ kernelPatches.mips_fpureg_emu @@ -10981,6 +10997,7 @@ in kernelPatches = [ kernelPatches.bridge_stp_helper kernelPatches.cpu-cgroup-v2."4.4" + kernelPatches.packet_fix_race_condition_CVE_2016_8655 ] ++ lib.optionals ((platform.kernelArch or null) == "mips") [ kernelPatches.mips_fpureg_emu @@ -10997,6 +11014,7 @@ in # !!! 4.7 patch doesn't apply, 4.8 patch not up yet, will keep checking # kernelPatches.cpu-cgroup-v2."4.7" kernelPatches.modinst_arg_list_too_long + kernelPatches.packet_fix_race_condition_CVE_2016_8655 ] ++ lib.optionals ((platform.kernelArch or null) == "mips") [ kernelPatches.mips_fpureg_emu